The last prioritized approach (v1.2) was released over 2 years ago now. Many have agreed, disagreed, argued (as you might expect with anything PCI related) about which order the controls should be in.
The standard “governance” controls we all know and love were pushed into the lowest priority milestone 6 category and odd things like “up to date network diagrams” were pushed into a highest priority milestone 1.
Rumour has it that the control order is to be reshuffled and some real security brought back into the standard, so with governance type controls coming first (risk assessment, accountability, operational security controls etc) and odd little nuances coming last.
This comes as fantastic news for any information security professional that's turned to the dark side, as governance has been shuffled to the back for too long.
What's excaberated the issue are last year's announcements that the card schemes will quite happily give safe harbour to any merchant that gets breached, but is found to be fully compliant with milestones 1-4. This has led to a huge deliberate ignorance of any milestone 5 and 6 control, many of which are cornerstones of an effective information security governance program.
So here we are, ears a-listening – will the council put Bob's balls on the block and dare to reshuffle the prioritized approach and finally give us something in a sensible order that forces manage the problem, rather than dress up for compliance once a year?
Version 2.0 – due any minute now (it's already a few weeks late)…